Rails - Feb 2006 - sudo in switchtower and security

I''m attempting to deploy a rails application using switchtower. My IT
guys
are refusing to give me sudo for a user changeable script. I really
can''t
argue with their logic. If I have sudo for a script that I can update, well,
I can do most anything I want.

They are suggesting I create a cgi that performs the same function. Since
the cgi would run as www-data (this is a debian system) it would be able to
kill (or signal) the www-data fcgi processes.

Comments or suggestions?

-Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060222/e4990675/attachment.html

On one hand I can see where your IT guys are coming from, but on the
other hand I''m not sure how you are expected to deploy and maintain
your application if you can''t restart the server and manage your fcgi
processes, using switchtower or otherwise.

What server are you using? Could you not set up your app in a folder
you have full rights on (under your home folder pehaps), and serve it
up using lighttpd that is also run as your own user. That way you
wouldn''t need to use sudo as everything runs under your own account.

Then all they have to do, assuming you already have apache running, is
set up mod_proxy to point at the lighttpd instance.

On 2/22/06, Kelly Felkins <railsinator@gmail.com>
wrote:
> I''m attempting to deploy a rails application using switchtower. My
IT guys
> are refusing to give me sudo for a user changeable script. I really
can''t
> argue with their logic. If I have sudo for a script that I can update,
well,
> I can do most anything I want.
>
>  They are suggesting I create a cgi that performs the same function. Since
> the cgi would run as www-data (this is a debian system) it would be able to
> kill (or signal) the www-data fcgi processes.
>
>  Comments or suggestions?
>
>  -Kelly
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

--
Cheers,
Luke Redpath
www.lukeredpath.co.uk

On Feb 22, 2006, at 12:24 PM, Luke Redpath wrote:
> On one hand I can see where your IT guys are coming from, but on the
> other hand I''m not sure how you are expected to deploy and
maintain
> your application if you can''t restart the server and manage your
fcgi
> processes, using switchtower or otherwise.
>
> What server are you using? Could you not set up your app in a folder
> you have full rights on (under your home folder pehaps), and serve it
> up using lighttpd that is also run as your own user. That way you
> wouldn''t need to use sudo as everything runs under your own
account.
>
> Then all they have to do, assuming you already have apache running, is
> set up mod_proxy to point at the lighttpd instance.
Another option is to put the restart logic in a script, and turn that  
script over to your IT department so that you no longer have control  
over it. Then, have them give you sudo permissions sufficient to  
execute that script.

It''ll require you to write a custom restart task, but it should be a  
simple one-liner.

- Jamis
>
> On 2/22/06, Kelly Felkins <railsinator@gmail.com> wrote:
>> I''m attempting to deploy a rails application using
switchtower. My
>> IT guys
>> are refusing to give me sudo for a user changeable script. I  
>> really can''t
>> argue with their logic. If I have sudo for a script that I can  
>> update, well,
>> I can do most anything I want.
>>
>>  They are suggesting I create a cgi that performs the same  
>> function. Since
>> the cgi would run as www-data (this is a debian system) it would  
>> be able to
>> kill (or signal) the www-data fcgi processes.
>>
>>  Comments or suggestions?
>>
>>  -Kelly
>>
>> _______________________________________________
>> Rails mailing list
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>>
>>
>
>
> --
> Cheers,
> Luke Redpath
> www.lukeredpath.co.uk
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails